Right to Erasure (‘Right to be Forgotten’) Policy
Individuals have the right to request erasure of their personal data in certain circumstances.
Our business must comply with the requirements of the General Data Protection Regulations (GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).
Upon receipt of a request for erasure our internal policy is as follows:
Chris Flannagan, Data Protection Officer for Tin Lid Protection (TLP) Ltd. is responsible for the handling of right to erasure requests in our business.
The duties of Tin Lid Protection (TLP) Ltd. Data Protection Officer include but are not limited to:
- Log the receipt and fulfilment of all requests received from a data subject/the person making the request/requestor.
- Acknowledge the request.
- Verify the identity of any person making the request.
- Maintain a database on the volume of requests and compliance against the statutory timescales.
- Verify whether if we are the controller of the data subject’s personal data.
- Check if we are not a controller, but rather a processor. If so, inform the data subject and refer them to the actual controller. This needs to be recorded in writing.
- Where applicable, decide if a request is excessive, unfounded or repetitive and communicate this to the requestor.
- Decide if an exemption applies.
- If a request is submitted in electronic form, any information should preferably be provided by electronic means as well.
Oral or written requests.
Right to erasure requests can be made in writing, electronically or verbally, although Tin Lid Protection (TLP) Ltd. on receipt of a verbal request, may request written confirmation.
If a member of staff is in any doubt if a certain situation has given rise to a valid right of erasure, contact the Data Protection Officer (Chris Flannagan firstname.lastname@example.org ) by email providing full details of the incident. Staff should do this without delay and certainly within two business days.
Where a member of staff receives a right to erasure request, they must email the relevant information to the Data Protection Officer (Chris Flannagan email@example.com ) without delay and certainly within two business days.
How do we verify the requestor’s identity?
If we are in doubt as to the identity of the requestor, we may ask the individual to supply valid evidence to prove their identity.
We may verify the requestor’s identity by letter (either electronic mail or postal) and request the following forms of identification.
We accept the following forms of identification:
- Group One:
- Current UK/EEA Passport.
- UK Driving Licence.
- Group Two:
- Financial Statement issued by bank, building society or credit card company.
- Utility bill for supply of gas, electric, water or telephone landline.
Tin Lid Protection (TLP) Ltd. will only ask for one document from each group.
How to process the request.
Our aim is to determine the validity of the erasure request. If the request is not clear, or where if we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.
We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the GDPR.
Any employee, who receives an erasure request (and is appropriately trained), must show due diligence and attempt to locate and supply information relating to an erasure request, must make a full exhaustive search of the records which they are responsible for or own. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems. Where a staff member is or feels they are not appropriately trained to conduct these initial enquiries, the Data Protection Officer must be informed. Where initial enquiries have been conducted, a full breakdown of enquiries must be provided to the Data Protection Officer.
Tin Lid Protection (TLP) Ltd. Data Protection Officer should check whether the erasure request also involves data shared with third parties or online.
If it is found to be a valid request for erasure, Tin Lid Protection (TLP) Ltd. must comply unless an exemption can be applied (see below). Information must be supplied in an intelligible form and must explain acronyms, codes or complex terms, where relevant.
No charge to comply with the request (with exceptions).
We must fulfil valid requests for erasure free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
Where applicable, the Directors of Tin Lid Protection (TLP) Ltd. in consultation with the Data Protection Officer, will determine the ‘reasonable fee’ that must be based on our administrative cost incurred by the business.
Excessive, manifestly unfounded or repetitive requests.
Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act on the request or charge a reasonable administration fee. The fee will be decided by the Directors of Tin Lid Protection (TLP) Ltd. in consultation with the Data Protection Officer.
Tin Lid Protection (TLP) Ltd. Data Protection Officer must provide information on the decision to the requestor in writing within 30 days and must state how they reached their decision.
As stated, we have to respond to a request for erasure within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner and within 30 days.
Where we decide not to take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.
How to handle exemptions.
If a member of staff believes that we have a valid business reason for an exemption, please inform the Data Protection Officer without delay by email to Chris Flannagan ( firstname.lastname@example.org )
Where a requestor is not satisfied with a response to a request, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome they may complain to the Information Commissioners Office or take legal action against us.
Breaches of this policy by members of staff will be investigated and may result in disciplinary action. Serious breaches of policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against the relevant member of staff.